TalkTalk gets compromised, Hackers make cars safer & Google plays hardball with Symantec.

Plus a great batch of your questions, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

TalkTalk compromise and ransom

• “TalkTalk, a British phone and broadband provider with more than four million customers, disclosed Friday that intruders had hacked its Web site and may have stolen personal and financial data. Sources close to the investigation say the company has received a ransom demand of approximately £80,000 (~USD $122,000), with the attackers threatening to publish the TalkTalk’s customer data unless they are paid the amount in Bitcoin.”
• “In a statement on its Web site, TalkTalk said a criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following “a significant and sustained cyberattack on our website.””
• That sounds more like a DDoS, but those same words could be used to describe a persistent compromise, where the attackers were inside the TalkTalk network for a long time
• Possibly compromised information includes: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details
• “We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.”
• So it sounds like they have no way of telling how much data was taken, and are hoping forensic analysis after the fact will tell them. Obviously they didn’t have good audit controls in place
• “A source close to the investigation who spoke on condition of anonymity told KrebsOnSecurity that the hacker group who demanded the £80,000 ransom provided TalkTalk with copies of the tables from its user database as evidence of the breach. The database in question, the source said, appears related to at least 400,000 people who have recently undergone credit checks for new service with the company. However, TalkTalk’s statement says it’s too early to say exactly how many customers were impacted. “Identifying the extent of information accessed is part of the investigation that’s underway,” the company said.”
• “It appears that multiple hacker collectives have since claimed responsibility for the hack, including one that the BBC described as a “Russian Islamist group” — although sources say there is absolutely no evidence to support that claim at this time.”
• With the way things are today, lots of people will try to take credit for an attack. That is why the group demanding the ransom provided a sample of the data as proof that they actually had it
• Of course, the real attackers could have posted the data to an underground forum, and multiple groups could have the data
• “Separately, promises to post the stolen data have appeared on AlphaBay, a Deep Web black market that specialized in selling stolen goods and illicit drugs. The posting was made by someone using the nickname “Courvoisier.” This member, whose signature describes him as “Level 6 Fraud and Drugs seller,” appears to be an active participant in the AlphaBay market with many vouches from happy customers who’ve turned to him for illegal drugs and stolen credit cards, among other goods and services.”
• “It seems likely that Courvoisier is not bluffing, at least about posting some subset of TalkTalk customer data. According to a discussion thread on Reddit.com dedicated to explaining AlphaBay’s new Levels system, an AlphaBay seller who has reached the status of Level 6 has successfully consummated at least 500 sales worth a total of at least $75,000, and achieved a 90% positive feedback rating or better from previous customers.”
• Additional Coverage — The Independant
• Additional Coverage — ArsTechnica: TalkTalk hit by cyberattack
• Additional Coverage — The Register: TalkTalk: Our cybersecurity is head and shoulders above our competitors
• Additional Coverage — ArsTechnica: TalkTalk says it was not legally required to encrypt customer data
• Additional Coverage — ArsTechnica: 15 year old boy arrested in connection with talktalk breach
• Video from TalkTalk CEO
• If you do end up having money stolen from your account, TalkTalk, “on a case-by-case basis”, will wait the termination fee if you decide you no longer want to be a TalkTalk customer
• New rule: if you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated”
• “Significant and sustained cyber attack” “sophisticated”… arrest 15 yr old kid as the hacker

Hackers make cars safer

• “Virtually every new car sold today has some sort of network connection. Most of us are aware of these connections because of the remarkable capabilities they place at our fingertips—things like hands-free communication, streaming music, advanced safety features, and navigation. Today’s cars are a rolling network of small computers that control the drivetrain, braking, and other systems. And just like the entertainment and navigation systems, these computers are “connected,” too.”
• “This connectivity within—and between—vehicles will allow transformative innovations like self-driving cars. But it also will make our cars targets for hackers. The security research community can play a valuable role in helping the auto industry stay ahead of these threats. But rather than encouraging collaboration, Congress is discussing legislation that would make illegal the kind of research that already has helped improve the industry’s approach to security.”
• Last week, “the House Energy and Commerce Committee begins a hearing on a bill to reform the National Highway Traffic Safety Administration. However, tucked into a section concerning the cybersecurity and data collection of automobiles is language that unintentionally could create greater risks for American drivers.”
• “Now the industry has established an Intelligence Sharing and Analysis Center (ISAC) to exchange cyber threat information. This initiative is a good start. It would provide a central point of contact and collaboration about what threats are out there and how automakers can respond to them. If done well, the ISAC also could improve security standards among auto manufacturers, benefiting all consumers. (More on that here and here.)”
• “The auto industry is taking promising steps toward better security, but the bill before the Energy and Commerce Committee would be a setback. It would make it illegal for security researchers to examine the code written into today’s cars and identify security vulnerabilities or manipulations designed to thwart environmental regulations. This will make our cars more vulnerable by discouraging responsible research and chilling innovation in car security at a critical time. Moreover, tying the hands of white hat researchers will do nothing to prevent bad actors from finding the same vulnerabilities and exploiting them in potentially harmful ways.”
• “The auto industry would be better served by following the lead of information technology industry which has developed ways to work with responsible security researchers instead of against them. For years technology companies fought a losing battle on security by threatening hackers, and now many firms have established bounty programs and conferences where researchers are invited to find and report flaws in programs and products. They recognize that bringing researchers to the table and crowd sourcing solutions can be effective in staying ahead of cyber threats. Stopping research before it can start sets a terrible precedent. Rather than make it illegal, Congress should try to spur collaboration between the automakers and the increasingly valuable research community.”
• US Regulators grant DMCA exemption to legalize vehicle software tinkering
• Additional Coverage: NPR
• The ruling uses the terms “good faith security research” and “lawful modification.”
• “The government defined good-faith security research as means of “accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.””
• “The “lawful modification” of vehicle software was authorized “when circumvention is a necessary step undertaken by the authorized owner of the vehicle to allow the diagnosis, repair or lawful modification of a vehicle function; and where such circumvention does not constitute a violation of applicable law, including without limitation regulations promulgated by the Department of Transportation or the Environmental Protection Agency; and provided, however, that such circumvention is initiated no earlier than 12 months after the effective date of this regulation.””
• Under the ruling, both exemptions don’t become law for at least a year

Google plays hardball with Symantec over TLS certificates

• “Google has given Symantec an offer it can’t refuse: give a thorough accounting of its ailing certificate authority process or risk having the world’s most popular browser—Chrome—issue scary warnings when end users visit HTTPS-protected websites that use Symantec credentials. The ultimatum, made in a blog post published Wednesday afternoon, came five weeks after Symantec fired an undisclosed number of employees caught issuing unauthorized TLS certificates. The mis-issued certificates made it possible for the holders to impersonate HTTPS-protected Google web pages.”
• Google’s Blog Post
• Symantec Report
• “Following our notification, Symantec published a report in response to our inquiries and disclosed that 23 test certificates had been issued without the domain owner’s knowledge covering five organizations, including Google and Opera. However, we were still able to find several more questionable certificates using only the Certificate Transparency logs and a few minutes of work. We shared these results with other root store operators on October 6th, to allow them to independently assess and verify our research.”
• It seems like Symantec was trying to downplay the incident, and gloss over its failings
• “Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered.”
• “The mis-issued certificates represented a potentially critical threat to virtually the entire Internet population because they made it possible for the holders to cryptographically impersonate the affected sites and monitor communications sent to and from the legitimate servers.”
• This brings up serious questions about the management and oversight of the Symantec certificate authority
• “It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner. After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products”
• “More immediately, we are requesting of Symantec that they further update their public incident report with:”
• A post-mortem analysis that details why they did not detect the additional certificates that we found.
• Details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.
• “We are also requesting that Symantec provide us with a detailed set of steps they will take to correct and prevent each of the identified failures, as well as a timeline for when they expect to complete such work. Symantec may consider this latter information to be confidential and so we are not requesting that this be made public.”
• “Following the implementation of these corrective steps, we expect Symantec to undergo a Point-in-time Readiness Assessment and a third-party security audit.”
• It is good to see Google using its muscle to make the CA industry smarten up and fly right

Feedback:

• Running a file server on Debian

• ZFS repairing capabilities

• Episode 237 comments and suggestions

Round up:

• 13 million plaintext passwords belonging to webhost users leaked online
• New banking trojan steals 20 million British Pounds from online bank accounts
• DOJ: Apple owns your iPhone’s software, so it should have a backdoor
• IBM tops the list of worst offenders for hosting spam, as it acquires Softlayer, which had previously acquired ThePlanet, which was known for being especially bad
• Joomla bug puts millions of websites at risk of remote takeover
• EFF Finds over 100 license plate readers that are accessible on the public internet
• Wall Street Journal subscriber base information may have been compromised
• WWII CIA (OSS) Simple Sabotage Field Manual (Field Manual #3)
• NSA issues warning about quantum cryptography, sparks concerns of secret advance in technology
• Debate over the depreciation of the leap second at the World Radiocommunication Conference Full ACM Article by Poul-Henning Kamp